Biometrics Can Be Hacked Like Passwords

We see in the movies how fingerprints get bypassed by both spies and thieves by extracting them from somewhere touched by their target. That suggests that fingerprints aren’t easily hacked as passwords. I also wrote earlier that fingerprints and other biometric technologies are the new thing in security in this dark period of left and right password hacking. That for the meantime, hackers will have a difficult time brute forcing or guessing their way into secured systems. Apple began using fingerprint technology upon the release of the iPhone 5S. Samsung followed suit on the Galaxy S5 and Windows 10 is set to use biometrics through its Windows Hello technology. However, it seems that meantime is actually quite short.

The problem is actually not in the biometric methods themselves but on how they’re implemented. It’s always the human element. Some Android phone manufacturers apparently took the security out of the phrase biometric security by storing fingerprint data in a way that they could easily be accessed. This is very bad juju for people who use their phones or tablets to do transactions on the internet and use their fingerprints for authentication.

One of these manufacturers, HTC was found guilty of storing raw, world readable fingerprint data in an easily accessible folder within the system, specifically, the HTC One Max phone. Whether this was an oversight of the struggling phone manufacturer or plain laziness remains to be seen. More minus points for HTC. What people using their products can expect though, is that malware designed to harness such a vulnerability can easily harvest fingerprint data as easy as thieves can get fingerprints off a used wine glass. HTC isn’t alone in the unsecure fingerprint department. Samsung and other Android manufacturers are guilty in not fully taking advantage of ARM’s Trustzone technology according to security firm FireEye. FireEye also states that Android itself isn’t secure and the fingerprint technology can be accessed through already known exploits. This is made easier since manufacturers take their time in updating their devices.

This is a real shame, as it turns out in Android land, fingerprint scanning is more of a novelty. Reports have yet to come from Apple and Microsoft’s sides of the fence. Implemented correctly though, one still can’t dismiss the potential of biometrics as a faster and easier way of authentication and security. For now, what’s a user to do? Users can still go back to the tried and true passcode method. Biometrics registration isn’t mandatory for online services yet. For unlocking personal devices like phones, tablets and laptops, biometrics are great, secure and convenient as long as there’s no online way to access the biometric signatures. Here’s to hoping the technology matures because remembering passwords, especially the alphanumeric-symbolic-case-mixed-type is really a chore.